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Malware 
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Trend Micro reports on macro-based 
qkG Filecoder ransomware 
> QkG Filecoder 


> Menu -fe () 
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(https://my.silobreaker.com/view360.aspx? 
item=ll_l 434342000#? 


q=Malware:%22qkG%20Ransomware%22&rd=true) 
is a file-encrypting ransomware entirely 
written in VBA macros. 

> The macros lower Word's security 
settings and infect the normal.dot template, 
loading malicious code into every Word 
instance. When a user closes a document, 
the files contents will be encrypted. 

> The threat actor, allegedly located in 
Vietnam and going bythe nameTNA-MHT- 
TT2 

(https://my.silobreaker.com/view360.aspx? 
item=n J 433490809#? 


q=ThreatActor:%22TNA-MHT- 
TT2%22&rd=true), isdemanding a ransom 
of $300 in Bitcoin. 
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-Source 

(http://blog.trendmicro.com/trendlabs- 
security-intelligence/qkg-filecoder-self- 
repiicating-document-encrypting- 
ransomware/) - 


Ongoing Campaigns 

McAfee reports on the increasetegin 0 l Menu |) () 
cybercriminal use of malware miners ^ 

> The increase in illégal mining is directly 
correlated to the increase in value of 
cryptocurrencies, particularly Bitcoin, which 
has been rising in value foryears. 

> Cybercriminals hâve been innovating 
malware such as Dridex 
(https://my.silobreaker.com/view360.aspx? 
item=l 1_773406215#? 

q=Malware%3a%22Dridex+Malware%22&rd=true) 
and Trickbot 

(https://my.silobreaker.com/view360.aspx? 
item=ll_l 074676862#? 

q=Malware:%22Trickbot%20Malware%22&rd=true) 
to include crypto-mining functions, which 
bypass the formai agreement stage and use 
a victim's computing power to mine for 
coins or locate and steal the user's 
cryptocurrency. 

> McAfee reports that in September 
cybercriminals stole $63,000 worth of 
cryptocurrency in three months by taking 
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advantage of a flaw in Microsoft Windows 
Internet information Services. 

-Source 

(https://securingtomorrow.mcafee.com/ mcafee- 
la bs/malware-mines-steals- 
cryptocu rrencies-from-victi ms/) - 

The Trickbot banking trojan gang is now 
using hybrid account checking attacks 

> The group, reportedly the suco^garj^f^ ( f\/| gnu j ) q 

the Dyre Wolf cyber gang () 

(https://my.silobreaker.com/View360.aspx? 

ltem=ll_844493667&q=ThreatActor%3A%22Dyre%20Wolf%20Cybed 

are using new attack methods. They are 

also expanding from targeting the financial 

sector to attack Russian and US-based 

companies in gaming, tech, cryptocurrency 

and other industries. 

> The hackers are distributing spam emails 
delivering Trickbot 

(https://my.silobreaker.com/View360.aspx? 

ltem=ll_1074676862&q=Malware%3A%22Trickbot%20Malware%22). 

Upon infection, the victim's machine will 

download the backconnect SOCKS5 proxy 

module, allowing the hackers to enlist the 

machines IP as its proxy. 

> They will then use victim IPs as proxies to 
leverage username and password 
combinations for account checking activity. 

Since the gangs IP address is the same as 
its victims', the target companies' anti-fraud 
Systems will not be able to detect the 
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attack. 

- Source (https://www.flashpoint- 
intel.com/blog/trickbot-account-checking- 
hybrid-attack-model/) - 

Possible Ukraine cyber gang targeting 
Canadian banking customers with 
phishing attacks 

> IBM Xforce research said the attacks start 

with a spear phishing email thattri£^j n £ ( f\/| gnu j ) q 

stakeholders with account access to reveal () 

theirfirm's banking credentials, passwords 

and two-factorauthentication codes. The 

attackers then take overthe account and 

transferfunds to mule accounts in their 

control. 

> The criminals crafted customised PDF files 
that seemed to corne from workers at the 
targeted businesses' banks, and urged 
victims to open the files to avoid canceled 
and delayed payments and transactions. 

-Source 

(https://securityintelligence.com/canadian- 
business-banking-customers-hit-with- 
ta rg eted- p hishing-accou nt-ta keove r- 
attacks/) - 

€100,000 of Bitcoin ailegedly stolen by 
hackers using a fake WiFi network 

> Austrian police report that the victim 
logged into a restaurant's WiFi network on 
an "unknown, non-traceable account" to 
checkthe value of their Bitcoin. 
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> It is unclear if the Bitcoins had already 
been stolen prior to logging onto the 
network. 

- Source (http://www.ibtimes.co.uk/fake- 
wifi-network-used-by-hackers-steal-more- 
100000-worth-bitcoin-l 648424) - 


Leaks & Breaches Login A C Menu -I) o 

Uber déniés unauthorised customer ^ 

transactions in Singapore are linked to 

its 2016 global data breach 

> The cab-hailing firm said the data breach 

did not contain financial information and is 

thus unrelated. Some customers in 

Singapore hâve noted account and crédit 

card charges for Uber rides they did not 

take in foreign countries. 

-Source 1 

(http://www.zdnet.com/article/uber-says- 
unauthorised-transactions-in-singapore-not- 
linked-to-global-breach/) - Source 2 

(http://www.channelnewsasia.com/news/singapore/uber- 
users-in-singapore-charged-for-phantom- 
rides-overseas-9423624) - 

Vu I nera bi I ïties 
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Samba release patches for two 
vulnerabilities affecting SAMBA 4.0 and 
versions 3.6.0 onwards 


>CVE-2017-14746 

(https://my.silobreaker.com/view360.aspx? 

item=ll_1432506931#? 


q=Vulnerability:%22CVE-2017- 

14746%228<rd=true) is a use-after-free error 

affecting ali versions of SAMBA singe 4.0. n 

Login A 

The bug allows an attackerto gain control 
over 'the contents of heap memory via a 
deallocated heap pointer', and possibly 
compromise the SMB server, through a 
malicious SMB1 request. 

>CVE-2017-15275 


[ Menu -)) () 


(https://my.silobreaker.com/view360.aspx? 

item=ll_1432506932#? 


q=Vulnerability:°/o22CVE-2017- 
15275%22&rd=true) affects ail versions of 
SAMBA from 3.6.0 onwards, leaving them 
vulnérable to a 'heap memory information 
leak, where the server ailocated heap 
memory may be returned to the client 
without being cleared.' These leaks may 
contain hashed passwords, orother 
credentials. 

-Source 1 

(https://www.samba.org/samba/security/CVE- 
2017-14746.html) - Source 2 
(https://www.samba.org/samba/security/CVE- 
2017-15275.html) - 
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CVE-2017-11826 exploited in politically 
themed malware campaign 
> Fortinet reports that a malicious RTF file is 
utilised to deliverthe malicious payload by 
abusing CVE-2017-11826 
(https://my.silobreaker.com/view360.aspx? 
item=ll_l 394070354#? 
q=Vulnerability:%22CVE-2017- 

t Menu |) () 
0 


full scale cyber crime campaign. 

-Source 

(https://blog.fortinet.com/201 7/11/22/cve- 
2017-11826-exploited-in-the-wild-with- 
politically-themed-rtf-document) - 

Arbitrary code execution vulnerability in 
54 HP Inc printer models patched 
> FoxGlove Security picked up on the 
vulnerability first in the firm's PageWide 
Enterprise Color MFP 586 and Color 
LaserJet Enterprise M553 printer models. 
FoxGlove informed HP in August and both 


11826%22&rd=true), an object-hajndlinp ^ 
vulnerability in Microsoft Office already 
patched in November. 

> The content of the RTF file initially displays 
text about Aqua Mul Mujahidin, a jihadist 
group. Afterthe exploit triggers, another 
document containing text from an article 
called Saudi Arabia's 'Game of Throbes' 
appears. 

> The campaign is reportedly a targeted 
attack on spécifie institutions, rather than a 
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coordinated the bug's disclosure for this 
week. 

> The bug allowed researchers to execute 
code on the printers by reverse engineering 
.BDL extension files used in HP Solutions 
and firmware updates. CVE-2017-2750 
(https://my.silobreaker.com/view360.aspx? 
item=ll_l 433483786#? 


q=Vulnerability:%22CVE-2017- , . « 

Login a 

2750%22&rd=true) was linked to 
'insufficient solution DLL signature 
validation', making it possible for a 
potential attackerto run malwareon an 
affected printer. 

-Source 1 (https://support.hp.com/nz- 
en/document/c05839270)-Source 2 
(https://foxg lovesecurity.com/ 2017/11/20/a- 
sheep-in-wolfs-clothing-finding-rce-in-hps- 
printer-fleet/) - 


t Menu -)) () 

0 


The Silobreaker Team 

Discloimer: Although Silobreaker has relied 
on what it regards as reliable sources while 
compiling the content herein, Silobreaker 
cannot guarantee the accuracy, 
completeness, integrity or quality ofsuch 
content and no responsibility is accepted by 
Silobreaker in respect ofsuch content. 
Readers must détermine for themse/ves what 
reliance theyshould place on the compiled 
content herein. 
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More News 


(https://www.silobreaker.com/silobreaker-daily-cyber-digest-09-march-2018/) 
9 March 2018 

L.ogin, Menu -I) () 
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Silobreaker Daily Cyber Digest - 09 March zOl 8 


Malware Microsoft Windows Defender blocks 80,000 instances of new variants 
ofthe Dofoil downloader Microsoft hâve stated thatthe Dofoil downloader, also 
known... 


(https://www.silobreaker.com/silobreaker-daily-cyber-digest-09-march-2018/) 

(https://www.silobreaker.com/silobreaker-daily-cyber-digest-08-march-2018/) 

8 March 2018 

Silobreaker Daily Cyber Digest - 08 March 2018 

Malware FlawedAmmyy RAT discovered by ProofPoint ProofPoint researchers 
state thatthetrojan has been used sincethe start of 2016 in both targeted 
email... 
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(https://www.silobreaker.com/silobreaker-daily-cyber-digest-08-march-2018/) ^ 

(https://www.silobreaker.com/silobreaker-daily-cyber-digest-07-march-2018/) 

7 March 2018 

Silobreaker Daily Cyber Digest - 07 March 2018 

Malware Gozi ISFP banking trojan using Dark Cloud botnet for distribution 
Talos observed Gozi ISFB using Dark Cloud for distribution, Nymaim command 
and... 


(https://www.silobreaker.com/silobreaker-daily-cyber-digest-07-march-2018/) 
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